Bank employees, not customers, are now the main target of financial
cyber attacks, according to the FBI.

In a warning issued earlier this week,it said the latest trend by
cybercriminals is to get employee login credentials, using spam and
phishing emails, keystroke loggers, and Remote Access Trojans (RAT).

And the best way to fight it? That leads to theongoing debateover
training vs. technology. While most security experts say both are
necessary, and the FBI provides a list of training recommendations and
policy protocols to keep employees from giving up the keys to the
financial kingdom, some experts like George Tubin, senior security
strategist for Trusteer, sayimproved technology is the only effective
solution.

"Part of the solution is training," he said. "But
we've been talking about this for so long, trying to educate
customers and employees. It has become one of those battles I don't
think we're going to win."

"Some of the ploys are so good they could fool almost anyone
— very sophisticated schemes like web injections and email
from friends that lead you to open an attachment. The real answer comes
in automated technology, to make sure people don't respond to those
things," Tubin said.

He also noted that the trend toward employees working at remote
branch or at home,the BYOD (bring your own device) trendand being
allowed to surf the web off the corporate network "makes them
extremely vulnerable."

Brian Berger, vice president at Wave Systems, agrees. "Users
are going to be users no matter how strong the security awareness
education is, so it is critical that organisations have a counter
measure in place to help mitigate threats like these," he said.
"Specifically, hardware authentication through the Trusted Platform
Module (TPM) makes it so the criminals couldn't penetrate even if
the employee had a misstep."

Kevin Flynn, a senior product manager at Fortinet, compares
training to driver education for teens. "Drivers Ed may help reduce
accidents but it doesn't necessarily make teenagers safe
drivers," he said. "Security belongs in the network."

However, Scott Greaux, vice president product management and
services at PhishMe, said, "Education is an organisation's
best defence against these threats but those efforts need to break away
from the traditional security awareness model and employ creative and
immersive education techniques such as mock phishing exercises that both
improve awareness and increase retention."

Greaux doesn't rule out better technology as a factor. But he
said the human element can heighten security in protocols.
"Financial institutions should implement a mix of random and
threshold based reviews for all wire transfers," he said.
"This will add an extra layer of human interaction with
transactions making it more challenging to fraudulent transfers to go
unnoticed."

The potential damage from stolen credentials is obvious. With that
information -- especially if they have the credentials of more than one
employee — criminals can access the accounts of any customer.
The FBI did not name any specific banks, but said that
"small-to-medium sized banks or credit unions have been targeted in
most of the reported incidents."

However, the agency did say a few large banks have also been
affected. In those cases, the criminals were able to conduct
unauthorized wire transfers overseas. The FBI said the amounts have
ranged between $400,000 and $900,000. And in at least one case,
"the actor(s) raised the wire transfer limit on the customer's
account to allow for a larger transfer."

But the damage goes beyond monetary. It is one thing for a customer
to be hacked or fall for a malware scam, but Tubin said it was
"totally different" for a financial institution itself to be
compromised. "The damage to the reputation of a large institution
could be devastating. That's the last thing a bank needs is to be
compromised."

No matter how good the technology, the FBI recommends a number of
basic precautions that financial enterprises should take. Among them:
Remind employees not to open attachments or click on links in
unsolicited emails; do not allow employees to access the Internet
freely, or personal or work emails on the same computers used to
initiate payments; do not allow employees to access administrative
accounts from home computers or laptops connected to home networks; and
ensure employees do not leave USB tokens in computers used to connect to
payment systems.

Financial institutions should also monitor employee logins that
occur outside of normal business hours; implement time-of-day login
restrictions for the employee accounts with (access to payment systems;
and restrict access to wire transfer limit settings, the FBI said.

Roger Thompson, chief emerging threats researcher at ICSA Labs,
doesn't debate training vs. technology. He says both are critical:
"The best way to do security is think Swiss cheese. Any given layer
has lots of holes in it, but if you arrange your cheese slices in
layers, they cover up each other's holes. In other words, no one
layer has to be anywhere near perfect, provided there are enough
layers."

Corporate Publishing International. All rights reserved.

Provided by Syndigate.info an Albawaba.com company

COPYRIGHT 2012 Al Bawaba (Middle East) Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.